Server 2016 And 2012 R2 – File And Folder Access Auditing And Monitoring Tutorial VIDEO TUTORIAL

Server 2016 And 2012 R2 - File And Folder Access Auditing And Monitoring VIDEO TUTORIAL

  With many users in a server environment and with a lot of data that needs to be secured and not accessed by unauthorized people. Also, in the fight against cyber theft we also need to see our regular user's file and folder access patterns. File and folder auditing is the way - it is a two step process that uses group policy and then file security settings.

Please watch the video to see the above (to translate, click the Subtitle box in the YouTube video and then click Settings and language, as in this picture):

subtitles

 
Transcript (machine generated so it contains errors)
1. 00:00:00:00 / 00:00:06:71 - a very good day to you in this video
2. 00:00:03:27 / 00:00:10:13 - let's have a look at how to audit access
3. 00:00:06:71 / 00:00:12:41 - to files and folders and then how to
4. 00:00:10:13 / 00:00:14:16 - look at the events and maybe even filter
5. 00:00:12:41 / 00:00:17:33 - it using a little bit of an advanced
6. 00:00:14:16 / 00:00:19:92 - system towards the end okay the simple
7. 00:00:17:33 / 00:00:22:85 - thing is it's in two processes one in
8. 00:00:19:92 / 00:00:25:92 - group policy you need to enable auditing
9. 00:00:22:85 / 00:00:30:00 - and the second is for the final folder
10. 00:00:25:92 / 00:00:32:93 - in its security section you need to
11. 00:00:30:00 / 00:00:36:11 - basically enable auditing there as well
12. 00:00:32:93 / 00:00:40:92 - okay that's the main two things so we'll
13. 00:00:36:11 / 00:00:49:94 - start off by going right to the basics
14. 00:00:40:92 / 00:00:54:96 - okay all right so here we have a folder
15. 00:00:49:95 / 00:00:58:73 - that we want to audit okay and in it it
16. 00:00:54:96 / 00:01:00:62 - has a another file everything within
17. 00:00:58:73 / 00:01:04:64 - that folder and its subfolders would
18. 00:01:00:62 / 00:01:09:03 - like to audit so the first thing is we
19. 00:01:04:65 / 00:01:12:24 - can set properties go to security go to
20. 00:01:09:03 / 00:01:17:15 - advanced go to auditing and then
21. 00:01:12:23 / 00:01:19:48 - basically add the users that you want to
22. 00:01:17:15 / 00:01:28:17 - we've already added the administrator
23. 00:01:19:48 / 00:01:31:37 - okay okay and then it'll find it you
24. 00:01:28:17 / 00:01:34:65 - click on it accept it and then basically
25. 00:01:31:37 / 00:01:38:75 - choose that okay we as you can see we've
26. 00:01:34:65 / 00:01:42:56 - already added okay so that's one step
27. 00:01:38:75 / 00:01:46:59 - the second step is to go to group policy
28. 00:01:42:56 / 00:01:50:39 - okay and for that you can go to server
29. 00:01:46:59 / 00:01:54:03 - manager okay and from server manager you
30. 00:01:50:39 / 00:02:04:85 - basically click on tools okay group
31. 00:01:54:03 / 00:02:10:18 - policy management that brings us to know
32. 00:02:04:85 / 00:02:13:37 - that window okay
33. 00:02:10:18 / 00:02:15:43 - which basically then has the policy set
34. 00:02:13:37 / 00:02:17:90 - up we're just doing it as a quick demo
35. 00:02:15:43 / 00:02:21:03 - so we're going into group policy objects
36. 00:02:17:90 / 00:02:23:81 - for the domain and default domain policy
37. 00:02:21:03 / 00:02:25:78 - right click on that click Edit don't
38. 00:02:23:81 / 00:02:27:05 - forget to make sure that it's enforced
39. 00:02:25:78 / 00:02:29:06 - how do you do that you just right click
40. 00:02:27:05 / 00:02:31:88 - on that and tick enforce that means it's
41. 00:02:29:06 / 00:02:35:56 - active the group policy object okay when
42. 00:02:31:87 / 00:02:41:96 - you click Edit okay that then brings up
43. 00:02:35:56 / 00:02:45:65 - this window and now in here okay you can
44. 00:02:41:96 / 00:02:48:56 - do it on computer configuration or you
45. 00:02:45:65 / 00:02:51:46 - can do it on user configuration okay
46. 00:02:48:56 / 00:02:54:94 - it's completely up to you in this case
47. 00:02:51:46 / 00:02:58:63 - we're choosing it based on this computer
48. 00:02:54:94 / 00:03:01:63 - system ok so computer configuration for
49. 00:02:58:63 / 00:03:03:93 - this domain ok then you drill all the
50. 00:03:01:63 / 00:03:07:60 - way down policies windows settings
51. 00:03:03:93 / 00:03:10:30 - security settings local policies then
52. 00:03:07:61 / 00:03:14:48 - you find audit policy and it has these
53. 00:03:10:30 / 00:03:19:70 - what we're looking at is a audit object
54. 00:03:14:47 / 00:03:21:59 - access now you can take both of them
55. 00:03:19:69 / 00:03:23:59 - make sure you click on define success
56. 00:03:21:59 / 00:03:25:00 - basically someone's tried to access it
57. 00:03:23:59 / 00:03:26:84 - they're being able to access it failure
58. 00:03:25:00 / 00:03:30:34 - someone's try to access it was unable to
59. 00:03:26:84 / 00:03:32:12 - access it okay make sure you have at
60. 00:03:30:34 / 00:03:35:50 - least one of these boxes ticked or both
61. 00:03:32:12 / 00:03:38:62 - okay and that box tick click OK and the
62. 00:03:35:50 / 00:03:41:75 - that sets it up now basically once
63. 00:03:38:62 / 00:03:45:12 - computers log off and log back on they
64. 00:03:41:75 / 00:03:50:56 - will get that group policy in the domain
65. 00:03:45:12 / 00:03:53:10 - ok and it's now active and we have set
66. 00:03:50:56 / 00:03:55:37 - it for this one folder on this computer
67. 00:03:53:11 / 00:03:59:93 - basically you could set it through group
68. 00:03:55:37 / 00:04:02:09 - policy or by individual folders route ok
69. 00:03:59:93 / 00:04:05:71 - now with a simple little test
70. 00:04:02:09 / 00:04:10:18 - ok I'm gonna go in here and just click
71. 00:04:05:71 / 00:04:17:54 - on it and then just it had some stuff in
72. 00:04:10:18 / 00:04:21:41 - there hello ok save it ok close it down
73. 00:04:17:54 / 00:04:26:62 - and now if we were to go to event viewer
74. 00:04:21:41 / 00:04:33:47 - which is available from basically server
75. 00:04:26:62 / 00:04:36:52 - manager or click over here and type an
76. 00:04:33:47 / 00:04:38:18 - event you find it same thing okay most
77. 00:04:36:52 / 00:04:42:81 - of these things also are available
78. 00:04:38:18 / 00:04:46:57 - through the search okay so over here now
79. 00:04:42:81 / 00:04:51:56 - it's going to be in security okay
80. 00:04:46:57 / 00:04:54:40 - and the key for it is for 663 the event
81. 00:04:51:56 / 00:04:56:72 - ID okay now that is what you're looking
82. 00:04:54:41 / 00:05:02:27 - for okay you could do a quick filter
83. 00:04:56:72 / 00:05:04:64 - over here and filter by 4 6 6 3 click ok
84. 00:05:02:26 / 00:05:09:25 - then we had all users over there and
85. 00:05:04:63 / 00:05:13:18 - basically as you can see ok I've
86. 00:05:09:25 / 00:05:16:30 - accessed that document going back I
87. 00:05:13:18 / 00:05:20:75 - access the folder ok and it has all that
88. 00:05:16:30 / 00:05:25:61 - now this is great ok what if we want to
89. 00:05:20:75 / 00:05:29:11 - come I come filter things by user etc
90. 00:05:25:61 / 00:05:34:79 - for this this is the advanced part where
91. 00:05:29:11 / 00:05:44:18 - we need to basically use PowerShell now
92. 00:05:34:79 / 00:05:47:24 - it's a very simple command I'll just
93. 00:05:44:18 / 00:05:48:74 - copy that and I'll paste it into here so
94. 00:05:47:24 / 00:05:51:43 - it's a little bit more readable
95. 00:05:48:74 / 00:05:54:29 - ok we've given it to a variable first
96. 00:05:51:43 / 00:05:57:16 - like a dollar event get win event and
97. 00:05:54:29 / 00:06:01:16 - then filter by and it has to be a hash
98. 00:05:57:16 / 00:06:03:32 - ok the log name is the security log ok
99. 00:06:01:16 / 00:06:07:58 - as we showed you in the event it's the
100. 00:06:03:31 / 00:06:10:33 - security log ok and then filter by ID
101. 00:06:07:57 / 00:06:13:43 - which was the event idea of that folder
102. 00:06:10:33 / 00:06:16:36 - access okay four six six three as we
103. 00:06:13:43 / 00:06:20:00 - showed over here four six three six six
104. 00:06:16:37 / 00:06:23:84 - three event ID now over here we have
105. 00:06:20:00 / 00:06:28:50 - another filtering data equals and this
106. 00:06:23:83 / 00:06:36:61 - is the security ID off in this case
107. 00:06:28:50 / 00:06:42:31 - our administrator okay if we go to one
108. 00:06:36:62 / 00:06:43:49 - of these let's just find it there we go
109. 00:06:42:31 / 00:06:48:92 - okay
110. 00:06:43:49 / 00:06:51:62 - so if we click on the event we find the
111. 00:06:48:92 / 00:06:54:92 - user ID for the administrator in this
112. 00:06:51:62 / 00:07:01:34 - case the SID okay and we just copied
113. 00:06:54:92 / 00:07:03:53 - that into our PowerShell command okay
114. 00:07:01:33 / 00:07:05:81 - and we've also given a start time okay
115. 00:07:03:52 / 00:07:09:76 - when do we want to start from basically
116. 00:07:05:81 / 00:07:12:98 - today's date okay and all we need to do
117. 00:07:09:76 / 00:07:17:08 - is just run that command it'll run
118. 00:07:12:98 / 00:07:20:48 - silently in the background and then just
119. 00:07:17:08 / 00:07:23:02 - one more okay we're now piping that
120. 00:07:20:48 / 00:07:25:79 - event okay that variable all the data
121. 00:07:23:02 / 00:07:27:79 - stay stored in that variable formatting
122. 00:07:25:79 / 00:07:30:89 - there's a list and then saving it to a
123. 00:07:27:80 / 00:07:32:81 - file it's saved in the same folder we
124. 00:07:30:88 / 00:07:37:84 - could have specified the exact location
125. 00:07:32:81 / 00:07:41:44 - okay and four six six three dot txt okay
126. 00:07:37:85 / 00:07:45:92 - and we go here we have our four six six
127. 00:07:41:44 / 00:07:49:84 - three dot txt and basically all events
128. 00:07:45:92 / 00:07:51:80 - basically that are happening on that
129. 00:07:49:85 / 00:07:54:80 - folder that we had set up auditing on
130. 00:07:51:80 / 00:07:58:81 - are now recorded and you can happily go
131. 00:07:54:80 / 00:08:00:35 - through it in notepad WordPad etc you
132. 00:07:58:81 / 00:08:03:01 - know we could have gone a little bit
133. 00:08:00:35 / 00:08:06:20 - further and comma separated values or
134. 00:08:03:01 / 00:08:08:38 - make it into an HTML file and all that
135. 00:08:06:19 / 00:08:10:03 - stuff but I'm sure for now this is a
136. 00:08:08:38 / 00:08:12:16 - general thing as you can see it's not
137. 00:08:10:04 / 00:08:16:81 - too bad just two simple commands and
138. 00:08:12:17 / 00:08:20:54 - you've got it filtered by the user ID
139. 00:08:16:81 / 00:08:22:97 - what shall we say event were we looking
140. 00:08:20:54 / 00:08:25:73 - for the event that in this instance it
141. 00:08:22:97 / 00:08:29:48 - was the file access okay and there ah
142. 00:08:25:73 / 00:08:33:25 - just one little thing that I can go
143. 00:08:29:48 / 00:08:39:02 - through if I was to
144. 00:08:33:25 / 00:08:43:91 - filter by X 20,000 okay that's all
145. 00:08:39:02 / 00:08:49:11 - basically reading rights okay of our
146. 00:08:43:91 / 00:08:52:27 - files okay so hopefully that is helped
147. 00:08:49:11 / 00:08:52:27 - thank you for watching
Visit our YouTube channel: https://www.youtube.com/channel/UCFj1BHYIUYfPWPb1Xn5qFIg